Applies to: Versions of Centrify DirectControl 5.x.x
It appears that the /tmp folder is filling up with krb5* log files even after upgrading the agent from 4.4.2 to version 5.x.x.
/tmp was completely emptied before upgrading and it's been filling back up ever since.
The user 'User1' is logging in via SSH and then using Telnet to query another system, as this is the only protocol this other system can accept:
workstation01:/tmp # ll krb5cc_*|wc -l
workstation01:/tmp # ll krb5cc_*| head
-rw------- 1 User2 support 1580 May 28 16:47 krb5cc_12712
-rw------- 1 User1 support 1490 May 28 16:01 krb5cc_127138
-rw------- 1 User3 support 1554 May 28 16:13 krb5cc_81517
-rw------- 1 User2 support 1580 May 28 16:47 krb5cc_cdc12712_0zi9F4
-rw------- 1 User1 support 1490 May 28 18:10 krb5cc_cdc127138_023m6n
-rw------- 1 User1 support 1490 May 28 18:01 krb5cc_cdc127138_02Hedz
-rw------- 1 User1 support 1490 May 28 18:10 krb5cc_cdc127138_04VDsw
-rw------- 1 User1 support 1490 May 28 16:09 krb5cc_cdc127138_04bNit
-rw------- 1 User1 support 1490 May 28 18:10 krb5cc_cdc127138_08XvhG
-rw------- 1 User1 support 1490 May 28 18:10 krb5cc_cdc127138_0B3nYr
workstation01:/tmp # w |grep User1
User1 pts/2 16:03 2:07m 0.02s 0.02s -ksh
User1 pts/7 16:04 2:07m 0.02s 0.00s telnet ext-sys.s04930.us 50001
User1 pts/8 16:04 2:07m 0.02s 0.00s telnet ext-sys.s04942.us 50001
User1 pts/9 16:04 2:07m 0.02s 0.00s telnet ext-sys.s04926.us 50001
User1 pts/10 16:04 2:07m 0.02s 0.00s telnet ext-sys.s04927.us 50001
User1 pts/11 16:03 2:07m 0.02s 0.00s telnet ext-sys.s04948.us 50001
User1 pts/12 06Apr13 52days 0.84s 0.84s -ksh
User1 pts/14 16:04 2:07m 0.02s 0.00s telnet ext-sys.s04946.us 50001
User1 pts/15 16:04 2:07m 0.02s 0.00s telnet ext-sys.s04958.us 50001
Why does this happen?
In order to keep each session separate, adclient by default maintains a separate user credential cache for each session (so that session 1 terminating will not affect session 2 of the same user). This means that if a user has multiple login sessions - each one will have its own Kerberos credential cache.
Normally on logoff, each session will call pam_close_session to delete it. Some older OS's and applications like Telnet and FTP are notorious for not cleaning up after themselves during logoff, so adclient implemented a background sweep (every 30 minutes) to remove the residue credential files - but since it does not know which ones are safe to remove, it will only clean them up if the user is NOT present (utmp). This means that if user has any sessions still active, the sweep will not remove any credential cache owned by that user.
A workaround is to specify all user sessions to use the same kerberos credential cache - in /etc/centrifydc/centrifydc.conf set:
Save the file and run: adreload
Alternatively, the krb5cc_cdc<uid>_* files can just be listed and removed if they are shown to be 1 or 2 days old - these are usually the relic cache files.